<html>
	<head>
		<meta charset="utf-8">
		<title>JS Xss 前端XSS过滤组件</title>
		<script type="text/javascript" src="filterXSS.js"></script>
		<script type="text/javascript" src="JavaScriptEncode.js"></script>
		<script type="text/javascript" src="HtmlEncode.js"></script>
	</head>
	<body>
		<label for="html">HTML:</label><br>
		<input type="text" id="html">
		<input type="button" id="filter" value="submit">
		<br>
		<div id="target" style="margin:0.5em;padding:0.5em;boder:solid 1px silver; background-color:#fffff0"></div>
		<hr>
		<script type="text/javascript">
			filter.onclick = function(){
				var h = html.value;
				target.innerHTML=h;
				//target.innerHTML=xssCheck(h);
				//target.innerHTML=filterXSS(h);
			};

			function xssCheck(str,reg){//编码转义函数简单版，没有HtmlEncode完善
				return str ? str.replace(reg ||/[&<">'](?:(amp|lt|quot|gt|#39|nbsp|#\d+);)?/g,function (a, b) {
					if(b){
						return a;
					}else{
						return{
							'<':'&lt;',
							'&':'&amp;',
							'"':'&quot;',
							'>':'&gt;',
							"'":'\'',
						}[a]
					}
				}): '';
			}

			document.write('<br><a href="#" onclick="alert(/xss/)">click me</a><br>');
			document.write(xssCheck('<br><a href="#" onclick="alert(/xss/)">click me</a><br>'));
			document.write(filterXSS('<br><a href="#" onclick="alert(/xss/)">click me</a><br>'));
			document.write(HtmlEncode('<br><a href="#" onclick="alert(/xss/)">click me</a><br>'));
		</script>
	</body>
</html>
